You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/code-security/reference/secret-security/secret-types.md
+46-2Lines changed: 46 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ category:
18
18
19
19
## How {% data variables.product.github %} stores secrets
20
20
21
-
{% data variables.product.github %} uses [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to encrypt secrets. A secret is encrypted before reaching {% data variables.product.github %} and remains encrypted until it's used by {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_actions %}, or {% data variables.product.prodname_codespaces %}.
21
+
{% data variables.product.github %} uses [Libsodium sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) to encrypt secrets. A secret is encrypted before reaching {% data variables.product.github %} and remains encrypted until it's used by {% data variables.product.prodname_dependabot %}, {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, or {% data variables.copilot.copilot_cloud_agent %}.
22
22
23
23
{% endif %}
24
24
@@ -118,6 +118,49 @@ Organization-level secrets:
118
118
* {% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.github %} secrets that are printed to workflow logs.
119
119
* You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets. Secrets are limited to 48 KB in size. For more information, see [Limits for secrets](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#limits-for-secrets).
120
120
121
+
{% ifversion copilot %}
122
+
123
+
## Agents secrets
124
+
125
+
Agents secrets are used to store credentials and sensitive information for {% data variables.copilot.copilot_cloud_agent %}.
126
+
127
+
### Usage
128
+
129
+
Agents secrets are exposed to {% data variables.copilot.copilot_cloud_agent %} as environment variables in its ephemeral development environment. They can be used by scripts and tools that the agent runs, including `copilot-setup-steps.yml`. For MCP server configuration, only Agents secrets whose names begin with `COPILOT_MCP_` are available to the MCP configuration.
130
+
131
+
### Scope
132
+
133
+
You can define Agents secrets at:
134
+
135
+
* Repository level
136
+
* Organization level
137
+
138
+
Agents secrets can be shared across repositories when set at the organization-level. You can use access policies to control which repositories can access the secret.
139
+
140
+
### Access permissions
141
+
142
+
Agents secrets are only available to {% data variables.copilot.copilot_cloud_agent %}.
143
+
144
+
{% data variables.copilot.copilot_cloud_agent %} does not have access to {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, or {% data variables.product.prodname_dependabot %} secrets. Likewise, {% data variables.product.prodname_actions %}, {% data variables.product.prodname_codespaces %}, and {% data variables.product.prodname_dependabot %} cannot access Agents secrets.
145
+
146
+
#### User access permissions
147
+
148
+
Repository-level secrets:
149
+
* Users with **admin access** to the repository can create and manage Agents secrets.
150
+
* Users with **collaborator access** to the repository can use the secret through {% data variables.copilot.copilot_cloud_agent %}.
151
+
152
+
Organization-level secrets:
153
+
***Organization owners** can create and manage Agents secrets.
154
+
* Users with **collaborator access** to the repositories with access to each secret can use the secret through {% data variables.copilot.copilot_cloud_agent %}.
155
+
156
+
### Limitations and restrictions
157
+
158
+
* Agents secrets are only passed to {% data variables.copilot.copilot_cloud_agent %}.
159
+
* Secret values are masked in {% data variables.copilot.copilot_cloud_agent %} session logs.
160
+
* For secrets you want to pass to MCP servers, the secret name must begin with `COPILOT_MCP_`.
161
+
162
+
{% endif %}
163
+
121
164
{% ifversion fpt or ghec %}
122
165
123
166
## {% data variables.product.prodname_codespaces %} secrets
0 commit comments